
United States Patent and Trademark Office 



UNITED STATES DEPARTMENT OF COMMERCE 
United States Patent and Trademark Office 
Address: COMMISSIONER FOR PATENTS 
P.O. Box 1450 

Alexandria, Virginia 22313-1450 
www.uspto.gov 



APPLICATION NO. 


FILING DATE 


FIRST NAMED INVENTOR 


ATTORNEY DOCKET NO. 


CONFIRMATION NO. 


10/815,191. 


03/31/2004 


Amit Bagga 


503048-US-CIP (Bagga) 


7508 



47702 . . 7590 01/23/2008 

RYAN, MASON & LEWIS, LLP 
1300 POST ROAD 
SUITE 205 

FAIRFIELD, CT 06824 



EXAMINER 



GYORFI, THOMAS A 



ART UNIT 



2135 



PAPER NUMBER 



MAIL DATE 



DELIVERY MODE 



01/23/2008 PAPER 

Please And below and/or attached an Office communication concerning this application or proceeding. 

The time period for reply, if any, is set in the attached communication. 



PTOL-90A (Rev. 04/07) 



Office Action Summary 


Application No. 

10/815,191 


Applicant(s) 

BAGGA ET AL. 


Examiner 

Tom Gyorfi 


Art Unit 

2135 





- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )G>3 Responsive to communication(s) filed on 31 October 2007 . 0 
2a)D This action is FINAL. 2b)E3 This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 1 

Disposition of Claims 

4) E3 Claim(s) 1-27 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) E>3 Claim(s) 1-27 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)D The drawing(s) filed on is/are: a)D accepted or b)Q objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
11 )□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1. D Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

30 Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 



Attachment(s) 

1) ^ Notice of References Cited (PTO-892) 4) □ Interview Summary (PTO-413) 

2) □ Notice of Draftsperson's Patent Drawing Review (PTO-948) Pa P er No(s)/Mail Date. . 

3) □ Information Disclosure Statement(s) (PTO/SB/08) 5 ) D Notlce of Informal Patent Application 

Paper No(s)/Mail Date . 6) □ Other: . 



U.S. Patent and Trademark Office 
PTOL-326 (Rev. 08-06) 



Office Action Summary 



Part of Paper No./Mail Date 200801 1 7 



Application/Control Number: 

10/815,191 

Art Unit: 2135 



Page 2 



DETAILED ACTION 

1. Claims 1-27 remain for examination. The correspondence filed 10/31/07 
amended claims 1, 21, and 27. 

Continued Examination Under 37 CFR 1.114 

2. A request for continued examination under 37 CFR 1 . 1 1 4, including the fee set 
forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
10/31/07 has been entered. 

Response to Arguments 

3. Applicant's arguments filed 10/31/07 with regards to the rejection of claim 27 
under 35 USC 101 have been fully considered but they are not persuasive. Applicant 
has amended to the claim to recite that the article of manufacture is a machine-readable 
storage medium; however, this fails to resolve the problems identified by the Examiner 
for two reasons. 

First, the instant specification explicitly discloses information on a network (the 
intangible signal embodiments) as being a memory [i.e. a storage medium] "because 
the associated processor can retrieve the information from the network" (specification, 
page 21, line 25 - page 22, line 3). Accordingly, the fact that the claim now recites a 
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storage medium does not preclude the claimed invention from being embodied as a 
wholly intangible signal(s) of information. Such an embodiment is not a judicially 
recognized article of manufacture, as per Diamond v. Chakrabarty, 447 U.S. 303, 308, 
206 USPQ 193, 196-197 (1980). Examiner respectfully suggests that this primary issue 
may be overcome either by further amending the claim to limit the article of manufacture 
to being any of the "recordable medium" variants (see specification, page 21, line 17) or 
in the alternative, by amending the specification to remove those references of a signal 
or network transmission medium as being a permissible storage medium. 

Second, even if the specification did not define the term "storage medium" to 
include signals, the traditional types of storage media explicitly disclosed by the 
specification (the recording media: "e.g. floppy disks, hard drives, compact disks, or 
memory cards" as listed on page 21, lines 13-24) do not themselves perform any of the 
recited steps in the claim. For example, a floppy disk cannot by itself "perform an 
Internet search" or any of the other limitations recited in the claim; rather, the storage 
media exist to provide a computer (for which no recitation exists in the claim) with the 
program code that will compel said computer to perform those limitations. Even the 
specification limits the code embodiment strictly to being operable "in conjunction with a 
computer system" (page 21, lines 15-17). Clearly, then, the claimed article of 
manufacture does not produce a useful result, despite the claim language being written 
to suggest that the article of manufacture directly executes the one or more programs 
stored therein. Examiner respectfully suggests that this secondary issue could be 
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overcome if the claim were further amended to explicitly recite that the one or more 
programs are executed by a computer. 

4. Applicant's arguments with respect to the prior art rejections of claims 1-27 have 
been considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 101 

5. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 

6. Claim 27 is rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter, and lacks patentable utiltity. The claim is 
directed to an article of manufacture comprising a machine-readable storage medium 
containing one or more programs; however, as the article of manufacture does not 
appear to be defined as any type computer or machine capable of executing the 
claimed program (see the instant specification, page 21, lines 12-24), thus the claimed 
subject matter lacks any requisite functionality to satisfy the practical application 
requirement, making the claim non-statutory: Diamond v. Diehr, 450 U.S. at 185-186, 
209 USPQ at 8 (noting that the claims for an algorithm in Benson were unpatentable as 
abstract ideas because "[t]he sole practical application of the algorithm was in 
connection with the programming of a general purpose computer.") See also MPEP § 
2106.01. Furthermore, the claim encompasses intangible embodiments that are non- 
statutory as discussed above, which do not qualify as "articles of manufacture" or any of 
the other statutory classes of invention. Appropriate correction is required. 
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Claim Rejections - 35 USC § 103 

7. Claims 1-27 are rejected under 35 U.S.C. 103(a) as being unpatentable over the 
P-synch version 6.2 software product, as evidenced by the w P-Synch Installation and 
Configuration Guide" (hereinafter, "P-Synch"), in view of the web page 
"SecurityStats.com Password Strength Meter" (hereinafter, "SecurityStats.com"). 

Regarding claims 1, 21, and 27: 

P-Synch discloses a method, apparatus, and article of manufacture for 
evaluating a password proposed by a user during an enrollment process (page 21, "5.3 
Accounts on target systems") comprising: receiving said proposed password from said 
user (page 4, "3. Users select a new password..."); evaluating results from a table 
lookup relative to one or more predefined thresholds (page 4, "4. P-Synch checks the 
new password..."; cf. pages 124-126, but particularly those rules on page 126 as 
indicated); and rejecting said proposed password when said user is correlated with said 
proposed password if one ore more of said predefined thresholds are exceeded by said 
results (Ibid). With respect to claim 21, P-synch is installed on a server (page 28, "1. 
Prepare a P-Synch server..."), which inherently possesses memory and a processor 
coupled to said memory. 

P-Synch does not explicitly disclose performing an Internet search using a query 
containing one or more keywords derived from said proposed password. However, it is 
observed that P-synch, while already possessing a defined set of rules to measure a 
proposed password's strength, can nevertheless be extended by allowing an admin to 
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add new rules via a plugin (page 127, section 10.19.1 "Adding new rules with a plugin 
program"). Furthermore, it is observed that P-Synch is essentially a web application, in 
that users interact with P-Synch via a web browser (page 6, "2.2.1 User Interfaces"; cf 
Figure 10.3 on page 93) and P-Synch is capable of interacting with other web sites via a 
web interface (see the "HTTP apps" and "HTTPS apps" on page 20; cf. the sample 
scripts for interacting with a website on pages 327 & 328). Moreover,SecurityStats.com 
discloses a publicly available web site on the Internet that one may query to determine if 
a password is sufficiently strong (see page 1). Additionally, SecurityStats.com 
recommends not using the actual proposed password but rather something similar [i.e. 
a keyword] to perform the query (page 1, 2 nd paragraph). Thus the claim is obvious 
because all the claimed elements were known in the art, and one of ordinary skill in the 
art could have combined the elements as claimed by known methods (i.e. writing a 
plug-in for P-Synch to use P-Synch's web interface to query SecurityStats.com as a 
new password strength rule), and the combination would have yielded predictable 
results to one of ordinary skill in the art at the time of the invention. 

Regarding claims 2, 3, and 22: 

P-Synch further discloses wherein said one or more predefined correlation rules 
evaluate whether that said proposed password can be [qualitatively: the password is the 
username; quantitatively: the password is similar to the username] correlated with said 
user (page 1 26, as indicated). 
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Regarding claims 4, 6, 23, and 24: 

P-Synch further discloses wherein said proposed password is comprised of a 
proposed answer and a proposed hint (the user Q&A profiles on pages 83 and 199-200; 
cf.). Although P-Synch has many rules by which one can correlate a proposed 
password to known weak passwords, P-Synch does not explicitly disclose determining 
whether the proposed answer can be correlated to/obtained from the proposed hint (i.e. 
the proposed password should not be similar to any of the personal information used in 
establishing one's personal profile - see also page 6, "2.2.2 Authentication System"). 
However, P-Synch discloses that one can augment the rules by which it determines the 
strength of proposed passwords (via external plug-ins, page 126; cf. sections 10.19.1 
and 10.19.2 on pages 127-128) developed using techniques that one of ordinary skill in 
the art would have known (pages 576-584), said plug-ins allowing P-Synch to query 
additional sources for password strength rules (Ibid). Furthermore, SecurityStats.com 
teaches that it was common knowledge that various kinds of information already 
retained by P-Synch for a user's personal profile (the hints and answers), makes for 
very weak passwords (the "DONTS" list on pages 1-3). It would have been obvious to 
one of ordinary skill in the art at the time the invention was made to develop a plug-in for 
P-Synch, in accordance with the techniques explicitly disclosed for that exact purpose, 
that would have allowed it to query the user's personal profile to see if the proposed 
answer correlates to [e.g. is an anagram of], or can be obtained from [e.g. is an exact 
match for], the password hint. All the claimed elements were known in the prior art and 
one skilled in the art could have combined the elements as claimed by the disclosed 
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methods, and the combination would have yielded predictable results to one of ordinary 
skill in the art at the time of the instant invention. 

Regarding claim 5: 

P-Synch further discloses wherein said particular relation is selected from the 
group consisting essentially of self, family member, co-author, teammate, colleague, 
neighbor, community member, or household member (pages 83, 199, & 200). 

Regarding claims 7 and 25: 

P-Synch further discloses wherein said proposed password is an identifying 
number (e.g. PIN number, e.g. page 6, "2.2.2 Authentication Systems"). 

Regarding claims 8, 10, 11 and 26: 

Although P-Synch discloses wherein said proposed password is an identifying 
number, it does not explicitly disclose rules to determine if the identifying number meets 
any of the following criteria: whether said identifying number identfies a person in a 
particular relationship to said user [claims 8 and 26], identifies a top N commercial entity 
[claim 10], or identifies said user [claim 11]. However, P-Synch maintains a database 
with each of those pieces of information: a number that identifies a person in a particular 
relationship to said user ("Family member phone number that is not your own", pages 
83 and 200), a top N 1 commercial entity (radio station dial number, Ibid), and the user 

1 For purposes of the rejection of claim 10, it is assumed that N=1. 
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("Your SSN", Ibid). P-Synch further discloses that one can augment the rules by which 
it determines the strength of proposed passwords (via external plug-ins, page 126; cf. 
sections 10.19.1 and 10.19.2 on pages 127-128) developed using techniques that one 
of ordinary skill in the art would have known (pages 576-584), said plug-ins allowing P- 
Synch to query additional sources for password strength rules (Ibid). Furthermore, 
SecurityStats.com teaches that it was common knowledge that each piece of personal 
information known to be recorded by P-Synch makes for a very weak password (the 
"DONT'S" list on pages 1-3). It would have been obvious to one of ordinary skill in the 
art at the time the invention was made to develop a plug-in for P-Synch, in accordance 
with the techniques explicitly disclosed for that exact purpose, that would have allowed 
it to query the user's personal profile to evaluate whether the identifying number meets 
any of the recited criteria in these claims. All the claimed elements were known in the 
prior art and one skilled in the art could have combined the elements as claimed by the 
known methods, and the combination would have yielded predictable results to one of 
ordinary skill in the art at the time of the instant invention. 

Regarding claim 9: 

P-Synch further discloses wherein said one or more pre-defined correlation rules 
evaluate whether said identifying number is a top N most commonly used identifying 
number (in the embodiment where the password is a PIN, the password history rules on 
pages 126 and 127). 
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Regarding claims 12-14: 

P-Synch further discloses wherein said identifying number is a portion of a 
telephone number, address, or social security number (pages 83 and 200). 

Regarding claim 15: 

P-Synch further discloses wherein said proposed password is a word (page 125, 
the dictionary rules). 

Regarding claim 16: 

P-Synch further discloses wherein said one or more predefined correlation rules 
evaluate whether a correlation between said word and said user exceeds a predefined 
threshold (e.g. the last two rules on page 125). 

Regarding claim 17: 

P-Synch further discloses wherein said correlation is determined by performing a 
meta-search (searching in accordance with rules found in one or more external plug-ins 
and/or the password history table, page 126). 

Regarding claim 18: 

P-Synch further discloses wherein said step of ensuring a correlation further 
comprises the step of performing a meta-search (Ibid). 
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Regarding claim 19: 

P-Synch further discloses wherein said step of ensuring a correlation further 
comprises the step of performing a local proximity evaluation (e.g. the last two rules on 
page 125, and the variants of the username on page 126). 

Regarding claim 20: 

P-Synch further discloses wherein said step of ensuring a correlation further 
comprises the step of performing a number classification (the digits rules: page 125). 



Conclusion 

8. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure: the "P-Synch white paper" further corroborates Examiner's 
analysis that the P-Synch product was capable of interacting directly with other web 
applications (see page 8, "Web applications"). 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Tom Gyorfi whose telephone number is (571) 272-3849. 
The examiner can normally be reached on 8:30am - 5:00pm Monday - Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-91 99 (IN USA OR CANADA) or 571-272-1 000. 
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